Posted by Kalyani M. on Sep 30, 2013
While perusing the iPhone app store recently I came across a calorie counting app which I thought would be interesting to try out. I installed the app and started creating a user profile. The app walked me through a series of questions to create the profile – most of them standard (email id, user name, password etc), but some of them reasonably personal (date of birth, weight, gender, zip-code (for targeted ads??). Having an information security background, and also having worked in the health care industry dealing with sensitive insurance information, I was naturally curious. After all, this is a lot of information. How is the app safeguarding and using this data?
Mobile health apps are ubiquitous. There are applications to count calories, measure heart rate, document sleep patterns, analyze blood sugar and even monitor moods for signs of depression (see Figure 2 for the top 5 mobile health apps). A recent study reveals that there are about 97,000 varieties of inexpensive and easy to use mobile health apps available in the market, all indications point to huge growth in the near future.
The mobile industry tracker Research2Guidance predicts that by 2017 half the world’s more than 3.4 billion smart phone users will have downloaded health apps. But have we realized what happens to the sensitive data consumers enter into these apps? Most of the apps don’t even deliver the medical miracles they promise – rather they share that data with advertisers and other third parties without the user’s knowledge. With a huge growth in the health apps, the privacy of important medical data has become a reason of concern.
Health apps collect all sorts of personal information like name, email address, age, height, weight and in some cases even more detailed information about your health. Lot of users trustfully log everything from diet to sleep patterns in the apps, without having any knowledge about companies or the app developers. By sharing such personal information you may be opening yourself to targeted advertising, identity theft, insurance or employment discrimination.
The Privacy Rights Clearinghouse recently released a study funded by California Consumer Protection Foundation showing the potential privacy risks of the mobile fitness and health apps. The study evaluated 43 health and fitness apps (paid and free) on both Google Play and Apple’s App Store to determine potential risks to important health data being collected, transmitted and stored using these apps. Although Clearinghouse chose not to include the names of those apps in it’s report, some of those apps could have included Nike+ Running, Runkeeper, Lose It! and WebMD.
The findings of the report are summarized in the table below:
This report unveils many security loopholes in the usage and storage sensitive health information collected by mobile medical apps. In addition, according to the report, only 13 percent of free apps and 10 percent of paid apps encrypt all data connections and transmissions between the app and the developer’s website. Probably the biggest difference between paid apps and free apps was the statistic that 43 percent of free apps shared user-generated personally identifiable information (PII) with advertisers – only 5 percent of paid apps did so.
The Health Insurance Portability and Accountability Act (HIPAA), which limits who can see and receive your health information, instructs doctors, insurers and pharmacies to keep your electronic health records confidential, unless you explicitly give the permission to share them. However, certain mobile health app developers are not obliged to follow such regulations if the data is not being used by a covered entity, such as physician, hospital, or health plan. The apps often send clear and unencrypted data without the user’s knowledge and consent. Some apps even share user’s location and other personal details with other companies within few minutes of being turned on. They often share data with advertisers and third parties without the knowledge of user. Less than half of the free apps have privacy policies in place and only half of those who had privacy policies described the app’s technical processes accurately. Due to unencrypted connection during data transmission and unprotected data storage, apps end up exposing sensitive data to everyone in the network – a huge privacy risk.
Keeping all these security and privacy concerns in mind, you can take the following steps towards protecting your data.
You should do a thorough research, and read the reviews to get a good idea about the app.
You should provide limited information to the apps – do not provide more information than what is necessary. Do not allow the app to access your contact list or personal contact details – most apps should not need that information to provide the service that they are intended for.
Consider paid apps over free apps as they offer better privacy protection. This is because paid apps don’t have to rely on advertising solely to make money. Most apps are a few dollars at the most – a small price to pay for something that you are going to entrust personal health information with.
Additionally, more work needs to be done from the app developer’s perspective to secure this important data. A few recommendations for app developers are:
Take steps to ensure that proper data encryption methods and security controls are implemented to secure user data
Review your privacy and security policies and ensure that they comply with federal and state law.
Assess whether the software will be used by a covered entity, and whether it will contain confidential patient information, and ensure that they are compliant under HIPAA regulations.
Keep your medical data secured
Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.
SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.
Interested in SpiderOak Products?
SpiderOak carved its niche as the top choice for those most concerned with privacy.
The engineering goal was simple – devise a plan where users’ files, file-names, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plain text data. Sign up for this product today!SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to firstname.lastname@example.org and we will get back to you soon.